CSP: apply extra CSP rules only when ext-theme is enabled (#11466)

This is breaking our gold view on the org site (no beta).
This is since we don't have script-src defined on .com,
and when applying the extra rules, we are defining it with just that value.

Author: stsewd

readthedocs/gold/tests/test_views.py

@@ -1,7 +1,7 @@
 import re
 
 from django.contrib.auth.models import User
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.urls import reverse
 from django_dynamic_fixture import get
 
@@ -12,7 +12,16 @@ def setUp(self):
 
     def test_csp_headers(self):
         self.client.force_login(self.user)
-        response = self.client.get(reverse("gold_detail"))
-        self.assertEqual(response.status_code, 200)
-        csp = response["Content-Security-Policy"]
-        self.assertTrue(re.match(r".*\s+script-src [^;]*'unsafe-inline'", csp))
+        csp_header = "Content-Security-Policy"
+        script_src_regex = re.compile(r".*\s+script-src [^;]*'unsafe-inline'")
+        url = reverse("gold_detail")
+
+        with override_settings(RTD_EXT_THEME_ENABLED=False):
+            resp = self.client.get(url)
+            self.assertEqual(resp.status_code, 200)
+            self.assertIsNone(script_src_regex.match(resp[csp_header]))
+
+        with override_settings(RTD_EXT_THEME_ENABLED=True):
+            resp = self.client.get(url)
+            self.assertEqual(resp.status_code, 200)
+            self.assertTrue(script_src_regex.match(resp[csp_header]))

readthedocs/gold/views.py

@@ -4,15 +4,13 @@
 
 import stripe
 import structlog
-from csp.decorators import csp_update
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.models import User
 from django.http import HttpResponseRedirect, JsonResponse
 from django.shortcuts import get_object_or_404
 from django.urls import reverse_lazy
 from django.utils import timezone
-from django.utils.decorators import method_decorator
 from django.utils.translation import gettext_lazy as _
 from rest_framework import permissions
 from rest_framework.renderers import JSONRenderer
@@ -29,14 +27,6 @@
 log = structlog.get_logger(__name__)
 
 
-@method_decorator(
-    # Allow inline scripts for the gold view.
-    # We are using inline javascript to initialize Stripe Checkout.
-    # Allowing inline scripts defeats the purpose of using CSP,
-    # but we are limiting it to this view.
-    csp_update(SCRIPT_SRC="'unsafe-inline'"),
-    name="dispatch",
-)
 class GoldSubscription(
     PrivateViewMixin,
     DetailView,
@@ -49,6 +39,18 @@ class GoldSubscription(
     form_class = GoldSubscriptionForm
     template_name = "gold/subscription_detail.html"
 
+    def dispatch(self, request, *args, **kwargs):
+        response = super().dispatch(request, *args, **kwargs)
+        # Allow inline scripts for the gold view.
+        # We are using inline javascript to initialize Stripe Checkout.
+        # Allowing inline scripts defeats the purpose of using CSP,
+        # but we are limiting it to this view.
+        # TODO: use the `@csp_update` decorator once we are running
+        # ext-theme by default.
+        if settings.RTD_EXT_THEME_ENABLED:
+            response._csp_update = {"script-src": "'unsafe-inline'"}
+        return response
+
     def get(self, *args, **kwargs):
         subscribed = self.request.GET.get("subscribed", None)
         if subscribed == "true":